User Account

All Pages

Thread risk analysis and modeling process

Assignment Help Database Management System
Reference no: EM13907184

The Thread Risk Analysis and Modeling Process

1. Assemble the threat-modeling team.
2. Decompose the application.
3. Determine the threats to the system
4. Rank the threats risk by decreasing risk.
5. Choose how to respond to the threats
6. Choose techniques to mitigate the threats
7. Choose the appropriate technologies for the identified techniques. A. Assemble the threat risk modeling team (less than 10)
Security person

Members of design, development, testing, documentation, sales teams;

Communicate the goal of the meetings: to find threats, not to fix them

The iterative process should not take for ever

Decompose the application

Create high level diagrams of system components

Iteratively decompose the previous diagram layer, making sure all important elements are captured (remember the threat tree example)

C. Determine the threats and countermeasures for system components

Determine the Threat Risks

Rank the threats risk by decreasing risk.

Choose how to respond to the threats

Choose techniques to mitigate the threats

Choose the appropriate technologies for the identified techniques.

B. Decompose the application. Create high level diagrams of system components

1. Use DFDs(Data Flow Diagrams)[1]
https://www.slideshare.net/starbuck3000/threat-modeling-web-applications
Slides 53- include DFD demos
Not easy (Developers, other stakeholders)

2. Use the Thread Risk Analysis and Modeling Tool from Microsoft (TRAM)

Wizard based
Makes easier for developers to build the Thread Risk Model
Ensures detailed information is retained
Helps with Knowledge sharing between projects
Evaluates the application vulnerabilities to create a prioritized set of countermeasures to measure and contain the risks.

B.2. Create high level diagrams of system components (continued)

The list of components and their interactions help suggest the threat trees

Define User Roles such as Administrator, User, Web Designer, Auditor

Define Data Groups: Define the logical data groups in your application based on the functionality in the application; for example Payroll Data, Authentication Data, Web Pages, Web Service Code

Define Data Access Control: List what a user can do in the application: create, read, update, and/or delete (CRUD) within that group and add conditions, if any

Define Components, Service Roles, and Identities and Select Component Relevancies:

B.2. Create high level diagrams of system components (continued)

The list of components and their interactions help suggest the threat trees
For technologies not listed in the attack library, import the attack library: Tools -> Attack Library -> Import.

Generate/Create Use Cases: Menu item: Tools -> Generate Use Cases. The cases are based on the information from the previous steps.

Define CALLS: Detail each use case with its appropriate call structure: data sent/data received and authorization entries. You can copy/paste or drag/drop calls from one use case to another. Check each use case by looking at Call, Data and Trust flow Visualizations

) Determining Threats Risks and Countermeasures

Generate and Evaluate Threats: Tools -> Generate Threats, click "OK" to generate threats. Then evaluate each threat risk by selecting appropriate risk factors and risk response.

Use DREAD for evaluation.

Refresh Countermeasures: Tools -> Refresh Countermeasures, will identify countermeasures for each threat.

Analyze the Threat Trees

Customize Metadata: Tools -> Options -> metadata Editor

Download and install the TAM tool. Perform Threat Risk Modeling of the Payroll Application[1] using TAM. Submit 10 slides different than the slides given here as sample.

Provide at last 6 Analytics, Visualization or Reports Results including customization and additional configuration screens.
Check slides 4 for TAM tool and instruction

SwSecurity Design Best Practices

Addressing STRIDE concerns

Spoofing(Impersonation) vs Authentication

Spoofing(Impersonation) vs Authentication
Attacker steals or guesses another user's credentials
Attacker changes Session Cookie's content to make it appear as coming from another user or another server

Spoofing Countermeasures

Implement strong authentication
Use Operating system frameworks
(e.g.) Kerberos
Use Encrypted Session cookies
Use Digital Signatures

Weaknesses(Spoofing)

Using unencrypted credentials
Storing credentials in cookies/ parameters
Self-designed/unproven authentication methods
Authentication to the wrong trust domain

Tampering vs information integrity
WebSite Defacement
Changing data in transit

Tampering Countermeasures

Use operating system security to lock down files, directories, other resources
Validate and Sanitize input data
Encrypt/sign data in transit (SSL/ IPSec)

Weaknesses(Tampering)

Using data sources without validation
Running with escalated privileges
Unencrypted Sensitive data
Missing Input Validation

SwSecurity Design Best Practices

Attachment:- HomeWorkSecurity.rar

Reference no: EM13907184

Questions Cloud

Size of an uncompressed text : Suppose the size of an uncompressed text file is 1 megabyte. How long does it take to download the file over a 32 Kilobit per second modem? How long does it take to take to download the file over a 1 megabit per second modem?
What barriers to success might people with disabilities : What barriers to success might people with disabilities
Should the company accept the special order : Prepare a report to management explaining the findings for the situations described above. Include in the report a description of the steps that the company should the following to make these short term decisions. Explain the importance of develop..
Terms of the difference : A typical password is about 8 characters long (and so can be stored in 8 bytes, or 64 bits). However, a typical key for encryption/decryption is much longer, and a key of 64 bits would not be considered secure. Explain this in terms of the differe..
Thread risk analysis and modeling process : Determine the threats and countermeasures for system components and determine the Threat Risks - Decompose the application. Create high level diagrams of system components
Prepare the material price variance : After computing the individual variances, are there any variances that need to be investigated given the assumption that any variance in excess of 1% should be investigated? Explain.
Event model for marketing purposes : Many web sites make vigorous (over) use of many of the events in the dynamic HTML event model for marketing purposes. In some cases, one URL call may open 10 or more other Windows.
Arithmetic instructions and a branch instruction : A computer system is using pentium-5 processor with 5 stages in pipeline processing with cycle time of 5ns, whereas another computer system is using pentium-7 processor with 7 stages in pipeline processing with cycle time of 3.75 ns.
Find example most current year in each of funds were used : discuss when the government and nonprofit organizations would use each of the following funds:- Capital projects fund and Debt service fund

Reviews

Write a Review

Database Management System Questions & Answers

  Analyse the credit approval data set

Analyse the  Credit Approval  data set - A data set description in terms of the attributes present in the data, the number of instances,missing values, and other relevant characteristics.

  Its a lead a project that will implement a new learning

its a lead a project that will implement a new learning management system for your university. you have two key tasks

  Creating an er diagram

Creating an ER diagram, Listing the functional dependencies, confirming that the database is in at least 4NF, Using SQL commands to create the and populate the database (there do not need to be many rows)

  A uml class diagram to describe the ordering system class

a UML class diagram to describe the ordering system class

  Create a database and then secure it

The goal is simple; you are to install the O/S, the Database Server and create a database and then secure it all as best you can.

  Determine impacts on revenue resulting

If you need to determine impacts on revenue resulting from an increase or decrease in prices and/or sales, the best option to use is a

  Design the screen with the actual values

Design the screen with the actual values. Students have to also create a data dictionary to explain what type of data is expected to display with the given input.

  A database security did not take priority in the enterprise

Data breaches have been reported in all industries, from education to healthcare to finance. Database security did not take priority in the enterprise IT security plans until a few years ago

  Draw a context diagram for the order system

Kitchen Gadgets sells a line of high-quality kitchen utensils and gadgets. When customers place orders on the company's Web site or through electronic data interchange (EDI).

  Describe the challenges that an organization will face when

describe the challenges that an organization will face when changing business processes and how information systems

  Referential integrity constraint prevent from data inserting

What actions does a referential integrity constraint prevent from occurring when data is inserted in a table that contains this constraint?

  Explain planning proactive concurrency control methods

Evaluate which method would be efficient for planning proactive concurrency control methods and lock granularities. Assess how your selected method can be used to minimize the database security risks that may occur within a multiuser environment.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd